https://github.com/youngyangyang04/nosqlattack
NoSQLAttack is an open source Python tool to automate exploit MongoDB server IP on Internet and disclose the database data by MongoDB default configuration weaknesses and injection attacks.
https://github.com/youngyangyang04/nosqlattack
Last synced: 7 months ago
JSON representation
NoSQLAttack is an open source Python tool to automate exploit MongoDB server IP on Internet and disclose the database data by MongoDB default configuration weaknesses and injection attacks.
- Host: GitHub
- URL: https://github.com/youngyangyang04/nosqlattack
- Owner: youngyangyang04
- License: gpl-3.0
- Created: 2016-05-19T14:26:29.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2024-04-08T15:41:47.000Z (almost 2 years ago)
- Last Synced: 2025-06-04T03:57:51.305Z (7 months ago)
- Language: Python
- Homepage:
- Size: 1.05 MB
- Stars: 310
- Watchers: 8
- Forks: 88
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
# [中文说明](https://github.com/youngyangyang04/NoSQLAttack/blob/master/docs/README-zh.md)
# NoSQLAttack
# Introduction
NoSQLAttack is an open source Python tool to automate expose MongoDB server IP on the internet and disclose the database data by MongoDB default configuration weaknesses and injection attacks. Presently, this project focuses on MongoDB.
Some attack tests are based on and extensions of follow papers
* [Diglossia: Detecting Code Injection Attacks with Precision and Efficiency](http://www.cs.cornell.edu/~shmat/shmat_ccs13.pdf)
* [No SQL, No Injection?](https://www.research.ibm.com/haifa/Workshops/security2015/present/Aviv_NoSQL-NoInjection.pdf)
* [Several thousand MongoDBs without access control on the Internet](https://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf).
There are two systems for testing NoSQL injection in this project-[NoSQLInjectionAttackDemo](https://github.com/youngyangyang04/NoSQLInjectionAttackDemo).
# Background
NoSQL injection attacks, for example php array injection, javascript injection and mongo shell injection, endanger mongoDB.
There are thousands of mongoDB are exposed on the internet, and hacker can download data from exposed mongoDB.
# Requirements
On a Debian or Red Hat based system, NoSQLAttack's dependencies already be writen in setup.py.
This project is built on Pycharm COMMUNITY 2016.1 with python 2.7.10.
Varies based on features used:
* Shodan-1.5.3
* httplib2-0.9
* Python-2.7
* pymongo-2.7.2
* requests-2.5.0
* ipcalc-1.1.3
* MongoDB
# Building
On Linux, it goes something like this:
```bash
cd NoSQLAttack
python setup.py install
```
# Tips
* If after entering "python setup.py install", terminal show error information "No module named setuptools", just install setuptools. On Ubuntu, "sudo apt-get install python-setuptools", this command is useful
* Install [MongoDB](https://docs.mongodb.com/manual/administration/install-on-linux/) for MongoDB default configuration attack.
# Usage
After building, you can run NoSQLAttack like this:
```bash
NoSQLAttack
```
Upon starting NoSQLAttack you are presented with the main menu:
```bash
================================================
_ _ _____ _____ _
| \ | | / ___|| _ | |
| \| | ___ \ `--. | | | | |
| . ` |/ _ \ `--. \| | | | |
| |\ | (_) /\__/ /\ \/' / |____
\_| \_/\___/\____/ \_/\_\_____/
_
/\ _ _ | | _
/ \ _| |_ _| | _____ ___ | | / /
/ /\ \ |_ _||_ _| / __ \ / __| | |/ /
/ /--\ \ | |_ | |_ | |_| | | |__ | |\ \
/ / -- \ \ \___\ \___\ \______\ \___| | | \_\
================================================
NoSQLAttack-v0.2
sunxiuyang04@gmail.com
1-Scan attacked IP
2-Configurate parameters
3-MongoDB Access Attacks
4-Injection Attacks
x-Exit
```
# videos
NoSQLAttack Demo for MongoDB.
(1)default configuration Attacks demo (2)injection attacks demo
